Raw Registry Editor, Edit registry hives without using Windows API functions External links Options

[Nuno Brito]

Raw Registry Editor


This was a project that started some time ago and intended to understand how the registry hives worked.

Today I can say that this goal was achieved and the registry hive can be edited without using windows registry functions.



Download link: http://nunobrito.eu/download.php?view.10


What is the advantage of not using Win32 API?

- No need to load a hive into the local registry
- Overcome any security restrictions imposed by Win32 API
- Works on every Windows platform (from Windows 9x all the way up to Vista)
- No UAC restrictions regarding hive load without administrator permissions
- More features can be added in the future.



--------------------------------


Things to expect from this Raw Registry Editor (RawReg for short name)


- Freeware
- Fast
- Gives a (huge) amount of details and information about any given hive


----------

What can it do?

- Browse the hive structure
- Edit the data on values
- Change the title of values
- Show a map with information of data inside each bin
- Show details about physical offset of any given key


Please note that unlike any other raw registry editors, this is the only program that can really add more data onto a given registry hive and manage the bin space properly. In the past, people were limited to only change data on keys that needed to have the exact same size, there are no such restrictions here and many things can be added - post your requests and I'll see if they can be included.



It is also the initial test version, more features will be added in the future.

Hope you like this tool.

[was_jaclaz]

GOOD!

I will test it as soon as I can and report.



jaclaz

[paraglider]

It crashes when I load a none live software hive:

Unhandled exception at 0x772388f7 in RawReg.exe: 0xC0000005: Access violation writing location 0x00030fc4.

[was_jaclaz]

Hmmm, as I see it not (yet ) ready for anything but debugging.

Problems/reprts (on win2k):
1) by default the "open hive on start" is checked, thus if there is a problem with a hive, the program won't run EVER again until you have deleted rawreg.ini
2) Open a "default" hive, size 164 Kb in size - result OK
3) Open a "SAM" hive, size 32 Kb in size - result OK
4) Open a "SECURITY" hive, size 32 Kb - problems:
a. when clicking on "Policy" ERROR - Access violation error at address 0047F530
b. when clicking on the small + sign near "Policy" it opens the subtree correctly, but clicking on any folder below "Policy" results in "cannot access file <path>\SECURITY file is in use by another process
c. file seems to remain "in use" even if you open another hive and then try reloading "SECURITY"
d. if you DO NOT click on "Policy" and open the sub-tree clicking on the + sign, keys are accessed allright
5) Open "software" hive size 11.460 Kb, CPU goes 98 %, memory usage goes beserk, stepping up in 4 kb steps, each step every two seconds roughly, app does not respond, terminated after 5 minutes running and at 54.368 Kb memory occupied
6) Open "system" hive size 5.368 Kb as 5) above
7) Same for "software" and "system" hives sized respectively 2.756 and 1.840 Kb memory usage grows MUCH faster, after two minutes running around 240.000 Kb still not respondong, then dropped down to aout 11.000 kb, still not responding, starting growing again, after another two minutes back to around 240.000 Kb - killed-



Do you need any form of logging?

jaclaz

[paraglider]

That was similar to what happened to me. Opened sam file ok then tried to open software. The program hung. Killed it, deleted the ini file, then restarted the program and attempted to load software. I now get the crash every time.

[was_jaclaz]

More probs:
Opened a ntuser.dat 192 kb in size
1) changing details to "hive map" gives a "Richedit insertion line error"
2) hive time stamp reported as 01/01/1601, I do have this machine since a long time, but NOT such a long time

jaclaz

[Nuno Brito]

Interesting results, thank you for testing and posting the results.

My experiments up to this point have been done with setupreg.hiv and bcd files.

Will now pick on the other hives to see why they are different and improve the results.

Thank you!

[MedEvil]

Even though there are still a few initial problems.
For finishing this Baby!!!

Great work Nuno!

[Nuno Brito]

One detail:
If the program crashes while trying to load a hive (or non-hive) file - then the memory won't be properly disposed until the system is rebooted. Please forgive me as I'm still a bit unexperienced handling memory streams when things go wrong..

For those who know delphi - I'm using TFileStream to map the file into memory. Have to learn a bit more about them or use a better way to open files and properly dispose the memory they use when the program crashes.

-------------------------------


One request:

Please send me as email attachments the problematic hives so that I can test them at home.

Thank you for the feedback.

[paraglider]

Registry hives tend to be quite large even when zipped. Are you sure you want them as an email attachment?They may also contain sensitive information that its not a good idea to trust to email.